Hello! On Mon, Sep 08, 2014 at 01:06:15AM -0700, Piotr Sikora wrote:
> Hey Maxim, > > > After looking into http://trac.nginx.org/nginx/ticket/618, > > I'm rather sceptical about BoringSSL-related fixes. > > To be fair, it was a regression that was fixed pretty fast once reported. The question is how many other such regressions was introduced and not yet reported. > > On the other hand, if they indeed remove something we use, it may > > be a good enough reason to reconsider the use of the flags > > removed. > > Most of the defines that they removed (SSL_OP_MICROSOFT_SESS_ID_BUG, > SSL_OP_NETSCAPE_CHALLENGE_BUG, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG and > SSL_OP_MSIE_SSLV2_RSA_PADDING) were for options that were removed from > BoringSSL along SSLv2 support. > > They also removed SSL_OP_TLS_BLOCK_PADDING_BUG, which was broken for a > while and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, which nginx uses to > disable CBC 0/n record splitting, which they replaced with CBC 1/n-1 > record splitting that is not enabled by default (see my other patch). > > This, however, doesn't mean that those options aren't doing anything > in OpenSSL (or LibreSSL, for that matter), especially when you insist > on supporting ancient versions of OpenSSL, so I don't think that we > should remove them from nginx. Ok, it looks like there are no reasons to remove workarounds in question. And as SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG are the only remaining workarounds without guards, it make sense to just use #ifdef's for all of them. Committed, thanks. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
